Техническая информация
Вредоносные функции:
Выполняет код следующих детектируемых угроз:
- Android.Packed.54935
Сетевая активность:
Подключается к:
- UDP(DNS) 8####.8.4.4:53
- UDP(NTP) 2.and####.p####.####.org:123
- TCP(TLS/1.0) cdn.h####.me:443
- TCP(TLS/1.0) 1####.250.150.95:443
- TCP(TLS/1.0) and####.a####.go####.com:443
- TCP(TLS/1.0) e####.tradpl####.com:443
- TCP(TLS/1.0) i####.da####.com.vn:443
- TCP(TLS/1.0) st####.fpt####.net:443
- TCP(TLS/1.0) im####.fo####.com:443
- TCP(TLS/1.0) assets-####.g####.vn:443
- TCP(TLS/1.0) api.tradpl####.com:443
- TCP(TLS/1.0) firebas####.google####.com:443
- TCP(TLS/1.0) static-####.t####.vn:443
- TCP(TLS/1.0) f####.gst####.com:443
- TCP(TLS/1.0) imagi####.endp####.cdn.####.vn:443
- TCP(TLS/1.2) 1####.251.1.94:443
- TCP(TLS/1.2) 1####.250.150.95:443
- TCP(TLS/1.2) 1####.177.14.100:443
- UDP 1####.250.150.95:443
- TCP s####.xem####.xyz:443
- UDP firebas####.google####.com:443
- TCP ap####.da####.com.vn:443
Запросы DNS:
- 2.and####.p####.####.org
- and####.a####.go####.com
- ap####.da####.com.vn
- api.tradpl####.com
- assets-####.g####.vn
- cdn.h####.me
- e####.tradpl####.com
- f####.gst####.com
- firebas####.google####.com
- i####.da####.com.vn
- im####.fo####.com
- imagi####.endp####.cdn.####.vn
- s####.xem####.xyz
- st####.fpt####.net
- static-####.t####.vn
Запросы HTTP GET:
- api.tradpl####.com:443/api/v1_2/open?v=####&sdkv=####&os=####&aid=####&d...
- assets-####.g####.vn:443/images/hq/posters/800x4501.jpg
- cdn.h####.me:443/logo/thumbs/6.png
- cdn.h####.me:443/logo/thumbs/7.png
- i####.da####.com.vn:443/2022/09/08/tenhag-crop-1662603229966.jpeg
- i####.da####.com.vn:443/2022/10/19/fan-village-cabins-zafaran-769033919-...
- i####.da####.com.vn:443/2022/10/19/hlvparkhangseovanhungsailamdocx-16405...
- i####.da####.com.vn:443/2022/10/19/man-united-1024x683-1666152949972.png
- im####.fo####.com:443/image_resources/logo/teamlogo/10058_small.png
- im####.fo####.com:443/image_resources/logo/teamlogo/10064_small.png
- im####.fo####.com:443/image_resources/logo/teamlogo/102231_small.png
- im####.fo####.com:443/image_resources/logo/teamlogo/109374_small.png
- im####.fo####.com:443/image_resources/logo/teamlogo/179222_small.png
- im####.fo####.com:443/image_resources/logo/teamlogo/194011_small.png
- im####.fo####.com:443/image_resources/logo/teamlogo/2373_small.png
- im####.fo####.com:443/image_resources/logo/teamlogo/257247.png
- im####.fo####.com:443/image_resources/logo/teamlogo/405790_small.png
- im####.fo####.com:443/image_resources/logo/teamlogo/421346_small.png
- im####.fo####.com:443/image_resources/logo/teamlogo/8539_small.png
- im####.fo####.com:443/image_resources/logo/teamlogo/859316_small.png
- imagi####.endp####.cdn.####.vn:443/tenants/none_tenant/photos/47_40cd733...
- imagi####.endp####.cdn.####.vn:443/tenants/none_tenant/photos/48_3f74c6b...
- imagi####.endp####.cdn.####.vn:443/tenants/none_tenant/photos/50_8d553e5...
- imagi####.endp####.cdn.####.vn:443/tenants/none_tenant/photos/54_395bd2b...
- imagi####.endp####.cdn.####.vn:443/tenants/none_tenant/photos/56_265f8fa...
- imagi####.endp####.cdn.####.vn:443/tenants/none_tenant/photos/63_391deaa...
- imagi####.endp####.cdn.####.vn:443/tenants/none_tenant/photos/81_d710942...
- imagi####.endp####.cdn.####.vn:443/tenants/none_tenant/photos/84_9b59e5a...
- imagi####.endp####.cdn.####.vn:443/tenants/none_tenant/photos/85_f93fe18...
- imagi####.endp####.cdn.####.vn:443/tenants/none_tenant/photos/kenh-10_f4...
- imagi####.endp####.cdn.####.vn:443/tenants/none_tenant/photos/kenh-2_ce4...
- imagi####.endp####.cdn.####.vn:443/tenants/none_tenant/photos/on-footbal...
- imagi####.endp####.cdn.####.vn:443/tenants/none_tenant/photos/on-sports_...
- st####.fpt####.net:443/static/img/share/channels/OTT/2022/10/10/icon_cha...
- static-####.t####.vn:443/channel/207/VTVCab11.png
Запросы HTTP POST:
- e####.tradpl####.com:443/api/v1_2/ev
- firebas####.google####.com:443/v1/projects/the-thao-tin-tuc/installations
Изменения в файловой системе:
Создает следующие файлы:
- /data/data/####/-1291501343
- /data/data/####/.xml
- /data/data/####/005e3929f3c9ba76f4eb03cf45d9a03b17b37bef469f1d9....0.tmp
- /data/data/####/005e3929f3c9ba76f4eb03cf45d9a03b17b37bef469f1d9...a1ac.0
- /data/data/####/09432f6933f235e9780aa083da5bf4cb532e8c870a93f3f....0.tmp
- /data/data/####/0f3de9cb394065797895a413c10baaf30365daf333a1d9b...bb96.0
- /data/data/####/1313251b681cea414f8e1c961ddb4a0b42449a41b5e79b6...4678.0
- /data/data/####/2051c80b4399fac12faa481702682230fc5bf73ae592896....0.tmp
- /data/data/####/24bdaea8823ed58fe68aea3c855cada4fea1c5dcda89b7a....0.tmp
- /data/data/####/26cd87fbe921b3017d12dd2ff5d51bb215af035c73c9b56....0.tmp
- /data/data/####/29b089d76a343f789b99a592f0df9271e303e3851863268...leted)
- /data/data/####/2a9e1ed97b5f9b955c734250d56bc295c193e7a924863b9...39bf.0
- /data/data/####/2ddb6119da3f90a85e3d042dcb9d5437a179faf5ad5fdc5...3f26.0
- /data/data/####/3118d5903ca7196668a98e0d060abc42e00785c3d4828cd....0.tmp
- /data/data/####/3118d5903ca7196668a98e0d060abc42e00785c3d4828cd...50ba.0
- /data/data/####/32795e6ef02f40b67a9cf4a9dc37c3b9e0ead53ba5e2edd....0.tmp
- /data/data/####/32795e6ef02f40b67a9cf4a9dc37c3b9e0ead53ba5e2edd...0d1e.0
- /data/data/####/3d30f6d535ca31dae82d2972be9cceda47d0fd6b02ec544....0.tmp
- /data/data/####/3e632158692edefe249d50bec8d4bb8f95111ab20d9a993....0.tmp
- /data/data/####/3e632158692edefe249d50bec8d4bb8f95111ab20d9a993...98a5.0
- /data/data/####/400cc63bdc68159d60f771688c5fec0b4c4d0b9af5357d3...5179.0
- /data/data/####/478a45ceb7f6ff26a6acfb39104c4d106239c1356111d29....0.tmp
- /data/data/####/49d5270789363ebaeaa8c0153027bc4804a368a95053800...6952.0
- /data/data/####/4b02f853977d5536b9b4ed3b3198cae800afe29a0fec7f2....0.tmp
- /data/data/####/504fa7be058db8ae7c9a3e938183db69249359f5d68090c...c7ee.0
- /data/data/####/54790067fece80b94fff4bc28aabeaf0aa7ede3b50173be...leted)
- /data/data/####/62f6cc4c55b6f0c5ecbeb6484ae6735a39c9ce4cff601de...a976.0
- /data/data/####/6891dfbf5038a8e40bd0e3fa24aab31cd528e6eb9d43625...05c2.0
- /data/data/####/6894919c8508208e1d1cdb57b511edc1d3af4b4e83aa84b....0.tmp
- /data/data/####/6952fdc01884c3010a4f0c2d7f698ca6aef430c52302104....0.tmp
- /data/data/####/6d0a67cf7f47de0c0ef39ab899c4e8f1160b7bbe81ac2f0...35d0.0
- /data/data/####/6d29d5e52c62daee3082ac3369ec5a207b87529932b2a48....0.tmp
- /data/data/####/7057bd52d488c745373bece32d6469e4fbe81281627ecea...leted)
- /data/data/####/7c1826e1ad81a600901a0e8e0b2edfebbb2b9fdf54006ba...a1bd.0
- /data/data/####/7c9747f5654f689c194e84b2607788c0df948d7301d5dd2....0.tmp
- /data/data/####/7c9747f5654f689c194e84b2607788c0df948d7301d5dd2...04ff.0
- /data/data/####/8269b6947544d98cbf93b55447766fe47e45381463c9848...e695.0
- /data/data/####/8335e6845d2d9b6d3ad7e462a870795a2104a697075293c...0dbf.0
- /data/data/####/9282437ced02d53fb471610970c541cd380d7698ee54989....0.tmp
- /data/data/####/95bd46581782092f6612bd5b3cebc1e3e642ff4dac7446f...a5ec.0
- /data/data/####/978ee2421c66f27daa5d7d7a81b5c3a87ec9321c517c35d....0.tmp
- /data/data/####/BSJojsRZJREGXm1XC2SPTrX58cnHXWAV.dex
- /data/data/####/BSJojsRZJREGXm1XC2SPTrX58cnHXWAV.dex.flock (deleted)
- /data/data/####/FirebaseHeartBeatW0RFRkFVTFRd+MTo1ODcxMzAxMzE0M...Mz.xml
- /data/data/####/JuqgKORRVb3l2OIip679FsecXXsPUHpd.dex
- /data/data/####/JuqgKORRVb3l2OIip679FsecXXsPUHpd.dex.flock (deleted)
- /data/data/####/N7Y0bQmlXg7M25GYdrlCrtokhZhsGI15.dex
- /data/data/####/PersistedInstallation.W0RFRkFVTFRd+MTo1ODcxMzAx...z.json
- /data/data/####/PersistedInstallation1452289097tmp
- /data/data/####/PersistedInstallation548840368tmp
- /data/data/####/TV.xml
- /data/data/####/a4d35ead06e9f277c06f459a49958cfeb56f6a41491781f...2838.0
- /data/data/####/a7177d7ef235233437e39819503696ec841718ca861b3e8....0.tmp
- /data/data/####/a7177d7ef235233437e39819503696ec841718ca861b3e8...leted)
- /data/data/####/a8fb5656a9fe07eeab360937a3d9f3dcb8ee77b12c1382f...07aa.0
- /data/data/####/aFXUEVeXK6LGMRs9AXBOAARTiJ8gV9fS.dex
- /data/data/####/aFXUEVeXK6LGMRs9AXBOAARTiJ8gV9fS.dex.flock (deleted)
- /data/data/####/b22ade94238dffe1a85ca7f8040d3d180aa25aa6ab139a4...fb84.0
- /data/data/####/b4a6c5d92ad12eed9c5ae02aa2c8fd1c45e4123c1e6bc5f....0.tmp
- /data/data/####/b5220677115918d20997698398905e5c66c3b103f49e5db....0.tmp
- /data/data/####/c53f8928710e8c8d15c4cdc54b13d9526d12ab4c95981dc...964e.0
- /data/data/####/c7193042a42d1ae7fe202eef75030d247380601d0636957...717c.0
- /data/data/####/c9113193b2b4773f30b8df46c28f3dd8f5f7e9315cf4e06....0.tmp
- /data/data/####/c9113193b2b4773f30b8df46c28f3dd8f5f7e9315cf4e06...d8b9.0
- /data/data/####/ca3f9fa48cb4d403e18aa9cc4b81883f106ccfb101fdd79....0.tmp
- /data/data/####/com.google.android.datatransport.events-journal
- /data/data/####/com.google.android.gms.appid-no-backup
- /data/data/####/com.google.android.gms.measurement.prefs.xml
- /data/data/####/com.google.android.gms.measurement.prefs.xml.bak
- /data/data/####/d23f29e3b08afd0285cc863ca72409660787096aae7cc0e...988e.0
- /data/data/####/d469ffb9681d2c42b83fc5d42d9c4acb7d305a7bfd2a9c4....0.tmp
- /data/data/####/d6f3ea984a514899fc401025dd7a3bdab1ba143833f624a....0.tmp
- /data/data/####/d773de7024d04f4124287432aa82674c765522b2768c5ce....0.tmp
- /data/data/####/d773de7024d04f4124287432aa82674c765522b2768c5ce...a936.0
- /data/data/####/d8765bee2dd51a2944ac945b81ca92570e1a4b0ccabedac...b38e.0
- /data/data/####/dfa86dd2a5372660dc1af8164e65d0c1cdd1ac3e9efc1cd....0.tmp
- /data/data/####/e34c60b86e8dff575c69e90195163514463fee7cdc5e288....0.tmp
- /data/data/####/e34c60b86e8dff575c69e90195163514463fee7cdc5e288...f02f.0
- /data/data/####/e502583c81494570fa07c8384b1f8d0912b268ece798340...3128.0
- /data/data/####/ec4038bae607b26cc3ac2e34b4b0aef76be145506c4d4b0...de9b.0
- /data/data/####/ee70d4496fe900f7d67590380d633bfc2625052ba9b5cd4...3313.0
- /data/data/####/f3f96fb03fa8bdff75074c924ac733d9728dfd2b4f4b96f....0.tmp
- /data/data/####/f56714324da8aba25cd335120d9e314c10b1aa1ad7539ce...5e32.0
- /data/data/####/generatefid.lock
- /data/data/####/google_app_measurement_local.db
- /data/data/####/google_app_measurement_local.db-journal
- /data/data/####/journal
- /data/data/####/tradplus.db
- /data/data/####/tradplus.db-journal (deleted)
- /data/data/####/tradplus_sdk.xml
- /data/misc/####/primary.prof
Другие:
Запускает следующие shell-скрипты:
- rm -r/data/user/0/<Package>/app_ded/JuqgKORRVb3l2OIip679FsecXXsPUHpd.dex
- rm -r/data/user/0/<Package>/app_ded/N7Y0bQmlXg7M25GYdrlCrtokhZhsGI15.dex
- rm -r/data/user/0/<Package>/app_ded/aFXUEVeXK6LGMRs9AXBOAARTiJ8gV9fS.dex
Использует следующие алгоритмы для шифрования данных:
- AES-CBC-PKCS7Padding
Использует следующие алгоритмы для расшифровки данных:
- AES
- AES-CBC-PKCS7Padding
- AES-ECB-PKCS5Padding
Отрисовывает собственные окна поверх других приложений.
